Upgrade Suricata to the latest git in Security Onion¶
Security Onion is a Ubuntu based security distro - securityonion.blogspot.com - that contains Suricata stable edition.
If you would like to upgrade to the latest (git, non-stable) Suricata edition, you should follow this guide.
This guide is tested on Security Onion 12.04 Ubuntu LTS 64 bit edition:
root@IDPS:~# uname -a Linux IDPS 3.2.0-29-generic #46-Ubuntu SMP Fri Jul 27 17:03:23 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
For example - before we started the Suricata upgrade , we have (at the time of this writing):
root@IDPS:~# suricata --build-info 26/3/2013 -- 07:52:49 - <Info> - This is Suricata version 1.3.3 RELEASE 26/3/2013 -- 07:52:49 - <Info> - Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW HAVE_NSS 26/3/2013 -- 07:52:49 - <Info> - 64-bits, Little-endian architecture 26/3/2013 -- 07:52:49 - <Info> - GCC version 4.6.3, C version 199901 26/3/2013 -- 07:52:49 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1 26/3/2013 -- 07:52:49 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2 26/3/2013 -- 07:52:49 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4 26/3/2013 -- 07:52:49 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8 26/3/2013 -- 07:52:49 - <Info> - compiled with -fstack-protector 26/3/2013 -- 07:52:49 - <Info> - compiled with _FORTIFY_SOURCE=2 root@IDPS:~#
We should get the following packages below - my personal selection of choice - latest suricata (from git) enabled with GeoIP, Unix Socket, pf_ring and MD5 file sums checking.
Note: some of these packages are already installed. We have them here for consistency.
It is good to stop the sensor in Security Onion , just to be sure that no DB or other problem would arise:
nsm_sensor_ps-stop
To be able to compile Suricata from scratch/git:
apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ make flex bison git git-core subversion libmagic-dev
For GeoIP:
apt-get install libgeoip1 libgeoip-dev
For Unix Socket:
apt-get install libjansson4 libjansson-dev python-simplejson
To be able to compile in with pf_ring support (SecOnion repository specific):
apt-get install securityonion-pfring-devel
For MD5 support:
apt-get install libnss3-dev libnspr4-dev
Then we get the latest available git version:
git clone git://phalanx.openinfosecfoundation.org/oisf.git
We change directories and inside we download/clone the latest libhtp 0.5 sources:
cd oisf git clone https://github.com/OISF/libhtp.git -b 0.5.x
Then:
./autogen.shThen we cofigure with the chosen options and compile.
Here the chosen configuration options are - >
- the Suricata binaries will be installed in /usr/bin/suricata ,
- the stats and log files will be in /var/log/ ,
- the config files will be installed in /etc/suricata/
- goeip,
- MD5,
- unix socket,
- pfring :
./configure \ --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ \ --disable-gccmarch-native --enable-pfring --enable-gccprotect --enable-geoip --enable-unix-socket \ --with-libpfring-includes=/opt/pfring/include --with-libpfring-libraries=/opt/pfring/lib --with-libpcap-includes=/opt/pfring/include \ --with-libpcap-libraries=/opt/pfring/lib --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr && make clean && make
NOTE: If you would like to compile and install Suricata with debugging enabled use:
CFLAGS="-O0 -ggdb" ./configure \
instead of just
./configure \
Then we install:
make install && ldconfig
OR If you prefer a one-liner:
git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \ git clone https://github.com/OISF/libhtp.git -b 0.5.x && \ ./autogen.sh && ./configure \ --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ \ --disable-gccmarch-native --enable-pfring --enable-gccprotect --enable-geoip --enable-unix-socket \ --with-libpfring-includes=/opt/pfring/include --with-libpfring-libraries=/opt/pfring/lib --with-libpcap-includes=/opt/pfring/include \ --with-libpcap-libraries=/opt/pfring/lib --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr && make clean && make && \ make install && ldconfig
Then we start the sensor jobs including the newly updated Suricata :
nsm_sensor_ps-start
After the upgrade we have (at the time of this writing):
root@IDPS:~/Work/tmp/oisf# suricata --build-info This is Suricata version 2.0dev (rev 31a024c) Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LIBJANSSON SIMD support: none Atomic intrisics: 1 2 4 8 byte(s) 64-bits, Little-endian architecture GCC version 4.6.3, C version 199901 compiled with -fstack-protector compiled with _FORTIFY_SOURCE=2 L1 cache line size (CLS)=64 compiled with LibHTP v0.5.9, linked against LibHTP v0.5.9 Suricata Configuration: AF_PACKET support: yes PF_RING support: yes NFQueue support: no IPFW support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes Prelude support: no PCRE jit: no libluajit: no libgeoip: yes Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Suricatasc install: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Profiling enabled: no Profiling locks enabled: no Coccinelle / spatch: no Generic build parameters: Installation prefix (--prefix): /usr Configuration directory (--sysconfdir): /etc/suricata/ Log directory (--localstatedir) : /var/log/suricata/ Host: x86_64-unknown-linux-gnu GCC binary: gcc GCC Protect enabled: yes GCC march native enabled: no GCC Profile enabled: no root@IDPS:~/Work/tmp/oisf# which suricata /usr/bin/suricata
That's all.
Peter Manev